From 0d2b7fca32690a54683b2ee641bd96f7d047a07c Mon Sep 17 00:00:00 2001
From: Scott Wadden <scott.wadden@gmail.com>
Date: Thu, 19 Oct 2023 02:09:09 -0300
Subject: [PATCH] Sign and notarize mac app during ci build

---
 .github/workflows/dist_mac.yaml | 34 +++++++++++++++++++++++++++++++--
 enu.nimble                      | 19 +++++++++++++-----
 2 files changed, 46 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/dist_mac.yaml b/.github/workflows/dist_mac.yaml
index 9bbdff4c..ea5f04a8 100644
--- a/.github/workflows/dist_mac.yaml
+++ b/.github/workflows/dist_mac.yaml
@@ -9,6 +9,38 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
+      - name: Install certificates. Write dist_config.json.
+        env:
+          DIST_CONFIG: ${{ secrets.PROD_MACOS_DIST_CONFIG }}
+          CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE }}
+          CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_PWD }}
+          CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_NAME }}
+          KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
+          NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
+          NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
+          NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
+          NOTARIZATION_PROFILE: ${{ secrets.PROD_MACOS_NOTARIZATION_PROFILE }}
+        run: |
+          # Adapted from https://federicoterzi.com/blog/automatic-code-signing-and-notarization-for-macos-apps-using-github-actions/
+
+          # Turn our base64-encoded certificate back to a regular .p12 file
+
+          echo $CERTIFICATE | base64 --decode > certificate.p12
+          echo $DIST_CONFIG | base64 --decode > dist_config.json
+
+          # We need to create a new keychain, otherwise using the certificate will prompt
+          # with a UI dialog asking for the certificate password, which we can't
+          # use in a headless CI environment
+
+          security create-keychain -p "$KEYCHAIN_PWD" build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p "$KEYCHAIN_PWD" build.keychain
+          security import certificate.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PWD" build.keychain
+
+          echo "Create keychain profile"
+          xcrun notarytool store-credentials "$NOTARIZATION_PROFILE" --apple-id "$NOTARIZATION_APPLE_ID" --team-id "$NOTARIZATION_TEAM_ID" --password "$NOTARIZATION_PWD"
+
       - name: Install build deps
         run: brew install nim scons yasm
       - name: Install nim
@@ -24,8 +56,6 @@ jobs:
         run: nimble setup
       - name: Save SHAs of submodules
         run: 'git submodule status > .submodules.tmp'
-      - name: Prep dist config
-        run: cp dist_config.example.json dist_config.json
       - name: prereq cache
         id: prereq-cache
         uses: actions/cache@v3
diff --git a/enu.nimble b/enu.nimble
index cf6fb43a..0f6c2420 100644
--- a/enu.nimble
+++ b/enu.nimble
@@ -205,7 +205,7 @@ task gen, "Generate build_helpers":
   discard gen()
 
 proc code_sign(id, path: string) =
-  exec &"codesign -s '{id}' -v --timestamp --options runtime {path}"
+  exec &"codesign --force -s '{id}' --options runtime {path} -v"
 
 task dist_prereqs, "Build godot debug and release versions, and download fonts":
   p "Buiding distribution prereqs..."
@@ -293,6 +293,10 @@ task dist_package, "Build distribution binaries":
 
     if config["sign"].get_bool:
       let id = config["id"].get_str
+      if "keychain" in config:
+        let keychain = config["keychain"].get_str
+        let password = config["keychain-password"].get_str
+        exec &"security unlock-keychain -p \"{password}\" {keychain}"
       code_sign(id, "dist/Enu.app/Contents/Frameworks/enu.dylib")
       code_sign(id, "dist/Enu.app")
 
@@ -303,11 +307,16 @@ task dist_package, "Build distribution binaries":
       exec &"mv {package_name} dist"
 
     if config["notarize"].get_bool:
-      let
-        username = config["notarize-username"].get_str
-        password = config["notarize-password"].get_str
+      if "notarize-profile" in config:
+        let profile = config["notarize-profile"].get_str
+        exec &"xcrun notarytool submit \"dist/{package_name}\" --keychain-profile \"{profile}\" --wait"
 
-      exec &"xcrun altool --notarize-app --primary-bundle-id 'ca.dsrw.enu'  --username '{username}' --password '{password}' --file dist/{package_name}"
+      else:
+        let
+          username = config["notarize-username"].get_str
+          password = config["notarize-password"].get_str
+
+        exec &"xcrun altool --notarize-app --primary-bundle-id 'com.getenu.enu'  --username '{username}' --password '{password}' --file dist/{package_name}"
 
   elif host_os == "linux":
     gen_binding_and_copy_stdlib("server")